Addressing the Global Trafficking of Financial Data

Kurt Baumgartner, targeted attack expert and the principle security researcher at Kaspersky Lab, sat on a panel discussing how the global market for trafficking financial information has changed, how it works, and what companies can do to protect themselves at the Visa Global Security Summit this week.

Byron Acohido, security reporter at USA Today, and Donald Good, FBI section chief for cyber operations and outreach station, joined Baumgarnter on the panel, answering questions on the topic from the audience and moderator Joshua Meltzer, a fellow of global economics and development at the Brookings Institution.

There was a time when the vast majority of attacks targeted payment processors and firms directly related to financial services in an attempt to immediately acquire valuable financial information, Baumgartner explained, but those companies have improved their defenses and attackers have moved toward softer targets.

The end goal is the same: to compromise corporate accounts and steal sensitive information from them. What has changed is the effort and tactics needed to accomplish this goal. Now attackers are increasingly infiltrating data firms and other companies with secondary data – often second-factor confirmation information like pet names, mother’s maiden names, dates of birth, etc. – in an attempt to force side channels into the corporate networks in which the more directly valuable information lives.

Acohido explained that the relative security successes of the payment industry have lulled the general public into a sense of security. Other sensitive and personally identifiable information is collected on an unfathomably grand scale, isn’t as well protected as financial data, and can be used to steal identities. Unlike a stolen credit card, Acohido explained, which a credit card company is likely to resolve, there is no real insurance for a stolen identity.

So, the specific data and organizations targeted by attackers has clearly changed, the panel claimed, but the ways to defend against such attacks has only changed in that it has gotten better.

In fact, all the panelists agreed that cooperation between law enforcement agencies around the world and the cooperation between law enforcement and the private industry is the strongest it has ever been.

Good explained that the FBI has attachés set up in the embassies of more than 75 countries around the world, specifically in cybercrime hotspots and those nations known to harbor cybercriminal gangs. The FBI and other U.S. law enforcement agencies regularly work with law enforcement from other countries to track down, and in some cases extradite, international cybercriminals.

One member of the crowd asked who IT security teams should turn to first in the event of an intrusion, the company’s incident response team or the FBI.

Baumgartner and Good agreed this decision needs to be made well ahead of time, long before the intrusion takes place, and clearly defined within organizations incident response policy guidelines.

Beyond that, Good encouraged companies to establish relationships with federal law enforcement offices located near their places of businesses. His branch of the FBI, he explained, focuses primarily on outreach to corporations so that corporate security professionals at oft-targeted organizations have working relationships with the FBI before an attack has occurred.

“During an incident, response is a bad time to start making relationships with the FBI,” good said.

Good went on to encourage organizations to contact the FBI as soon as they see that something has occurred.

“Call the law enforcement,” he said, “and we’ll come in with cyber trained agents who are specially trained to preserve logs and gather other valuable threat information.”

Baumgartner would later explain in an interview with the Kaspersky Business Blog that this whole process is a two-way street, and that the FBI is very forthcoming about this reality. The FBI not only helps businesses under siege by supplying experts with a better understanding of just how thoroughly these complicated attacks penetrate corporate networks, but it also helps itself by studying the different and new ways that adversaries are launching their attacks.

Furthermore, corporations sometimes just shut down networks in an attempt to close off the perceived avenue of attack. Good and Baumgartner also agreed that in some cases enterprises fail to understand the true depth of these attacks, cutting off compromised networks without realizing that an attack is far more widespread than they realize.

Baumgartner also said in the interview that shutting down a network altogether often tips a business’s hat to an attacker or attack group that may in fact be idle. These attack groups, he explained, are sometimes working on a number of targets at once. They might penetrate a certain network and establish a foot-hold there, but be actively working on another network somewhere else, only coming back to the first network at a later time. So suspicious traffic may not have gotten down to the business of actually stealing anything yet, in which case, it’s good to get the FBI in there to do high-level forensics work before you scorch the earth – so to speak – by nuking the whole infected network.

This isn’t merely a matter of working together, catching crooks and learning from them after an attack has occurred. Protections are better – both for corporations and individuals – than they used to be, and organizations need to stay on top of that.

“On the client side, collection of this financial data is done using banking Trojans usually, and we have better protection against it now,” Baumgartner said in an interview with Kaspersky Business. “That includes better protection against key stroke logging, better protection against injection into web browsers. Much better protection for someone browsing their banking website and interacting with their website there. So there are huge improvements on the client side and also dealing with exploits like the java stuff and other common exploits to get banking Trojans on your machine.”

Stronger security for individuals reduces the chance that an employee- or client-machine will become infected and spread to the corporate network. There are better protection techniques and tools for the networks themselves as well though.

“On the server side, because web applications are so custom, and custom driven, or so proprietary, they become a more difficult piece to deal with,” Baumgartner said. “So actually protecting web apps becomes more difficult. But what you can do is work with technology that deals not only with white listing of trusted applications but also with outright denial [of bad ones].”

If some process starts up, he explained, and is running some strange code or attempting to communicate with some unknown server, admins need to be able to stop it.

“So [the attackers] would go in, use their SQL injection attack, …and they drop their backdoor on the system and the back door would include sniffer technology, but the backdoor would include some new code that just shouldn’t be running on the server,” Baumgartner said. “So if you actually have a technology that can provide a denial in a robust way that allows for an admin to say, ‘No this really is okay for this to work although what the heck is it doing on my server,’ you’re much more likely to be able to identify and immediately prevent the backdoors that these crews are running in the first place.”